From 825890d89380dd3d992f1d25ae1d8080e7aac05b Mon Sep 17 00:00:00 2001 From: svcAPLBot <174728082+svcAPLBot@users.noreply.github.com> Date: Fri, 15 Aug 2025 00:53:11 +0000 Subject: [PATCH] chore(chart-deps): update oauth2-proxy to version 7.18.0 --- chart/chart-index/Chart.yaml | 2 +- charts/oauth2-proxy/Chart.lock | 6 +- charts/oauth2-proxy/Chart.yaml | 14 +- charts/oauth2-proxy/README.md | 9 +- charts/oauth2-proxy/charts/redis/Chart.lock | 6 +- charts/oauth2-proxy/charts/redis/Chart.yaml | 14 +- charts/oauth2-proxy/charts/redis/README.md | 22 ++ .../charts/redis/charts/common/Chart.yaml | 4 +- .../charts/redis/charts/common/README.md | 2 - .../charts/common/templates/_capabilities.tpl | 2 +- .../charts/common/templates/_ingress.tpl | 20 -- .../redis/charts/common/templates/_names.tpl | 7 +- .../charts/redis/templates/NOTES.txt | 4 +- .../redis/templates/scripts-configmap.yaml | 188 ++++++++++++++++-- .../charts/redis/templates/svc-external.yaml | 4 +- charts/oauth2-proxy/charts/redis/values.yaml | 12 +- charts/oauth2-proxy/templates/hpa.yaml | 11 + .../templates/poddisruptionbudget.yaml | 10 +- charts/oauth2-proxy/templates/service.yaml | 7 + charts/oauth2-proxy/values.yaml | 37 +++- 20 files changed, 305 insertions(+), 76 deletions(-) diff --git a/chart/chart-index/Chart.yaml b/chart/chart-index/Chart.yaml index d6807bbd96..ff5f9c6b47 100644 --- a/chart/chart-index/Chart.yaml +++ b/chart/chart-index/Chart.yaml @@ -75,7 +75,7 @@ dependencies: version: 11.10.13 repository: https://charts.bitnami.com/bitnami - name: oauth2-proxy - version: 7.12.18 + version: 7.18.0 repository: https://oauth2-proxy.github.io/manifests - name: opentelemetry-operator alias: otel-operator diff --git a/charts/oauth2-proxy/Chart.lock b/charts/oauth2-proxy/Chart.lock index c4f231969d..71caeec88b 100644 --- a/charts/oauth2-proxy/Chart.lock +++ b/charts/oauth2-proxy/Chart.lock @@ -1,6 +1,6 @@ dependencies: - name: redis repository: https://charts.bitnami.com/bitnami - version: 21.2.3 -digest: sha256:43cdc9bb861291fef9537f0d7186fc8db6eba1a42df5d23ddb9a39ac7917702e -generated: "2025-06-11T07:39:11.941597009Z" + version: 22.0.1 +digest: sha256:7e8f393290629839ef212fb63e9ab4c5170ccba3da30c06c464a554987fcbb45 +generated: "2025-08-11T14:45:37.460990457Z" diff --git a/charts/oauth2-proxy/Chart.yaml b/charts/oauth2-proxy/Chart.yaml index 4b14e7c09d..5de4c30024 100644 --- a/charts/oauth2-proxy/Chart.yaml +++ b/charts/oauth2-proxy/Chart.yaml @@ -1,18 +1,20 @@ annotations: artifacthub.io/changes: | - - kind: changed - description: Updated the Redis chart to the latest version + - kind: added + description: Added support for PodDisruptionBudget unhealthyPodEvictionPolicy links: - name: Github PR - url: https://github.com/oauth2-proxy/manifests/pull/316 + url: https://github.com/oauth2-proxy/manifests/pull/336 + - name: Kubernetes documentation + url: https://kubernetes.io/docs/tasks/run-application/configure-pdb/#unhealthy-pod-eviction-policy apiVersion: v2 -appVersion: 7.9.0 +appVersion: 7.11.0 dependencies: - alias: redis condition: redis.enabled name: redis repository: https://charts.bitnami.com/bitnami - version: 21.2.3 + version: 22.0.1 description: A reverse proxy that provides authentication with Google, Github or other providers home: https://oauth2-proxy.github.io/oauth2-proxy/ @@ -36,4 +38,4 @@ name: oauth2-proxy sources: - https://github.com/oauth2-proxy/oauth2-proxy - https://github.com/oauth2-proxy/manifests -version: 7.12.18 +version: 7.18.0 diff --git a/charts/oauth2-proxy/README.md b/charts/oauth2-proxy/README.md index 15b753972e..548dd03adc 100644 --- a/charts/oauth2-proxy/README.md +++ b/charts/oauth2-proxy/README.md @@ -120,6 +120,7 @@ The following table lists the configurable parameters of the oauth2-proxy chart | `autoscaling.targetCPUUtilizationPercentage` | Horizontal Pod Autoscaler setting. | `80` | | `autoscaling.targetMemoryUtilizationPercentage` | Horizontal Pod Autoscaler setting. | `` | | `autoscaling.annotations` | Horizontal Pod Autoscaler annotations. | `{}` | +| `autoscaling.behavior` | Configure HPA behavior policies for scaling. See [docs](https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/#configuring-scaling-behavior) | `{}` | | `alphaConfig.enabled` | Flag to toggle any alpha config-related logic | `false` | | `alphaConfig.annotations` | Configmap annotations | `{}` | | `alphaConfig.serverConfigData` | Arbitrary configuration data to append to the server section | `{}` | @@ -178,7 +179,9 @@ The following table lists the configurable parameters of the oauth2-proxy chart | `podAnnotations` | annotations to add to each pod | `{}` | | `podLabels` | additional labels to add to each pod | `{}` | | `podDisruptionBudget.enabled` | Enabled creation of PodDisruptionBudget (only if replicaCount > 1) | true | -| `podDisruptionBudget.minAvailable` | minAvailable parameter for PodDisruptionBudget | 1 | +| `podDisruptionBudget.maxUnavailable` | maxUnavailable parameter for PodDisruptionBudget, one of maxUnavailable and minAvailable must be null | null | +| `podDisruptionBudget.minAvailable` | minAvailable parameter for PodDisruptionBudget, one of maxUnavailable and minAvailable must be null | 1 | +| `podDisruptionBudget.unhealthyPodEvictionPolicy` | Policy for when unhealthy pods should be considered for eviction. Valid values are "IfHealthyBudget" and "AlwaysAllow". See [Kubernetes docs](https://kubernetes.io/docs/tasks/run-application/configure-pdb/#unhealthy-pod-eviction-policy) | `""` | | `podSecurityContext` | Kubernetes security context to apply to pod | `{}` | | `priorityClassName` | priorityClassName | `nil` | | `readinessProbe.enabled` | enable Kubernetes readinessProbe. Disable to use oauth2-proxy with Istio mTLS. See [Istio FAQ](https://istio.io/help/faq/security/#k8s-health-checks) | `true` | @@ -199,6 +202,10 @@ The following table lists the configurable parameters of the oauth2-proxy chart | `service.loadBalancerSourceRanges` | allowed source ranges in load balancer | `nil` | | `service.nodePort` | external port number for the service when service.type is `NodePort` | `nil` | | `service.targetPort` | (optional) a numeric port number (e.g., 80) or a port name defined in the pod's container(s) (e.g., http) | `""` | +| `service.ipDualStack.enabled` | enable IPv4/IPv6 dual-stack for the service | `false` | +| `service.ipDualStack.ipFamilies` | ip families for the service if IPv4/IPv6 dual-stack is enabled | `["IPv6", "IPv4"]` | +| `service.ipDualStack.ipFamilyPolicy` | ip family policy for the service if IPv4/IPv6 dual-stack is enabled | `"PreferDualStack"` | +| `service.trafficDistribution` | traffic distribution policy for the service. See [Kubernetes docs](https://kubernetes.io/docs/concepts/services-networking/service/#traffic-distribution) | `""` | | `serviceAccount.enabled` | create a service account | `true` | | `serviceAccount.name` | the service account name | `` | | `serviceAccount.annotations` | (optional) annotations for the service account | `{}` | diff --git a/charts/oauth2-proxy/charts/redis/Chart.lock b/charts/oauth2-proxy/charts/redis/Chart.lock index 82b0598db2..5e79dc2f59 100644 --- a/charts/oauth2-proxy/charts/redis/Chart.lock +++ b/charts/oauth2-proxy/charts/redis/Chart.lock @@ -1,6 +1,6 @@ dependencies: - name: common repository: oci://registry-1.docker.io/bitnamicharts - version: 2.31.0 -digest: sha256:c4c9af4e0ca23cf2c549e403b2a2bba2c53a3557cee23da09fa4cdf710044c2c -generated: "2025-05-06T10:59:26.624907586+02:00" + version: 2.31.3 +digest: sha256:f9c314553215490ea1b94c70082cb152d6ff5916ce185b4e00f5287f81545b4c +generated: "2025-08-07T15:58:39.930610919Z" diff --git a/charts/oauth2-proxy/charts/redis/Chart.yaml b/charts/oauth2-proxy/charts/redis/Chart.yaml index bc6f461f44..f72bc247b4 100644 --- a/charts/oauth2-proxy/charts/redis/Chart.yaml +++ b/charts/oauth2-proxy/charts/redis/Chart.yaml @@ -2,19 +2,19 @@ annotations: category: Database images: | - name: kubectl - image: docker.io/bitnami/kubectl:1.33.1-debian-12-r5 + image: docker.io/bitnami/kubectl:1.33.3-debian-12-r3 - name: os-shell - image: docker.io/bitnami/os-shell:12-debian-12-r46 + image: docker.io/bitnami/os-shell:12-debian-12-r50 - name: redis - image: docker.io/bitnami/redis:8.0.2-debian-12-r3 + image: docker.io/bitnami/redis:8.2.0-debian-12-r0 - name: redis-exporter - image: docker.io/bitnami/redis-exporter:1.74.0-debian-12-r0 + image: docker.io/bitnami/redis-exporter:1.75.0-debian-12-r0 - name: redis-sentinel - image: docker.io/bitnami/redis-sentinel:8.0.2-debian-12-r2 + image: docker.io/bitnami/redis-sentinel:8.2.0-debian-12-r0 licenses: Apache-2.0 tanzuCategory: service apiVersion: v2 -appVersion: 8.0.2 +appVersion: 8.2.0 dependencies: - name: common repository: oci://registry-1.docker.io/bitnamicharts @@ -36,4 +36,4 @@ maintainers: name: redis sources: - https://github.com/bitnami/charts/tree/main/bitnami/redis -version: 21.2.3 +version: 22.0.1 diff --git a/charts/oauth2-proxy/charts/redis/README.md b/charts/oauth2-proxy/charts/redis/README.md index e33dd3511b..6e5807729c 100644 --- a/charts/oauth2-proxy/charts/redis/README.md +++ b/charts/oauth2-proxy/charts/redis/README.md @@ -18,6 +18,17 @@ helm install my-release oci://registry-1.docker.io/bitnamicharts/redis Looking to use Redis® in production? Try [VMware Tanzu Application Catalog](https://bitnami.com/enterprise), the commercial edition of the Bitnami catalog. +## ⚠️ Important Notice: Upcoming changes to the Bitnami Catalog + +Beginning August 28th, 2025, Bitnami will evolve its public catalog to offer a curated set of hardened, security-focused images under the new [Bitnami Secure Images initiative](https://news.broadcom.com/app-dev/broadcom-introduces-bitnami-secure-images-for-production-ready-containerized-applications). As part of this transition: + +- Granting community users access for the first time to security-optimized versions of popular container images. +- Bitnami will begin deprecating support for non-hardened, Debian-based software images in its free tier and will gradually remove non-latest tags from the public catalog. As a result, community users will have access to a reduced number of hardened images. These images are published only under the “latest” tag and are intended for development purposes +- Starting August 28th, over two weeks, all existing container images, including older or versioned tags (e.g., 2.50.0, 10.6), will be migrated from the public catalog (docker.io/bitnami) to the “Bitnami Legacy” repository (docker.io/bitnamilegacy), where they will no longer receive updates. +- For production workloads and long-term support, users are encouraged to adopt Bitnami Secure Images, which include hardened containers, smaller attack surfaces, CVE transparency (via VEX/KEV), SBOMs, and enterprise support. + +These changes aim to improve the security posture of all Bitnami users by promoting best practices for software supply chain integrity and up-to-date deployments. For more details, visit the [Bitnami Secure Images announcement](https://github.com/bitnami/containers/issues/83267). + ## Introduction This chart bootstraps a [Redis®](https://github.com/bitnami/containers/tree/main/bitnami/redis) deployment on a [Kubernetes](https://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager. @@ -93,6 +104,17 @@ Bitnami will release a new chart updating its containers if a new version of the To modify the application version used in this chart, specify a different version of the image using the `image.tag` parameter and/or a different repository using the `image.repository` parameter. +### Load custom modules in Redis® + +You can use the `commonConfiguration` parameter to specify the modules to load. For example, to load the RediSearch, RedisBloom, RedisJSON and RedisTimeSeries modules supported from Redis® 8+, you can set the following: + +```yaml +commonConfiguration: | + loadmodule /opt/bitnami/redis/lib/redis/modules/redisbloom.so + loadmodule /opt/bitnami/redis/lib/redis/modules/redisearch.so + loadmodule /opt/bitnami/redis/lib/redis/modules/rejson.so + loadmodule /opt/bitnami/redis/lib/redis/modules/redistimeseries.so + ### Bootstrapping with an External Cluster This chart is equipped with the ability to bring online a set of Pods that connect to an existing Redis deployment that lies outside of Kubernetes. This effectively creates a hybrid Redis Deployment where both Pods in Kubernetes and Instances such as Virtual Machines can partake in a single Redis Deployment. This is helpful in situations where one may be migrating Redis from Virtual Machines into Kubernetes, for example. To take advantage of this, use the following as an example configuration: diff --git a/charts/oauth2-proxy/charts/redis/charts/common/Chart.yaml b/charts/oauth2-proxy/charts/redis/charts/common/Chart.yaml index 49ec73d7c0..29a53f9160 100644 --- a/charts/oauth2-proxy/charts/redis/charts/common/Chart.yaml +++ b/charts/oauth2-proxy/charts/redis/charts/common/Chart.yaml @@ -2,7 +2,7 @@ annotations: category: Infrastructure licenses: Apache-2.0 apiVersion: v2 -appVersion: 2.31.0 +appVersion: 2.31.3 description: A Library Helm Chart for grouping common logic between bitnami charts. This chart is not deployable by itself. home: https://bitnami.com @@ -20,4 +20,4 @@ name: common sources: - https://github.com/bitnami/charts/tree/main/bitnami/common type: library -version: 2.31.0 +version: 2.31.3 diff --git a/charts/oauth2-proxy/charts/redis/charts/common/README.md b/charts/oauth2-proxy/charts/redis/charts/common/README.md index b84bbbabfc..2860536077 100644 --- a/charts/oauth2-proxy/charts/redis/charts/common/README.md +++ b/charts/oauth2-proxy/charts/redis/charts/common/README.md @@ -30,8 +30,6 @@ Looking to use our applications in production? Try [VMware Tanzu Application Cat This chart provides a common template helpers which can be used to develop new charts using [Helm](https://helm.sh) package manager. -Bitnami charts can be used with [Kubeapps](https://kubeapps.dev/) for deployment and management of Helm Charts in clusters. - ## Prerequisites - Kubernetes 1.23+ diff --git a/charts/oauth2-proxy/charts/redis/charts/common/templates/_capabilities.tpl b/charts/oauth2-proxy/charts/redis/charts/common/templates/_capabilities.tpl index 6efde9d348..58f58c1c10 100644 --- a/charts/oauth2-proxy/charts/redis/charts/common/templates/_capabilities.tpl +++ b/charts/oauth2-proxy/charts/redis/charts/common/templates/_capabilities.tpl @@ -115,7 +115,7 @@ Return the appropriate apiVersion for Horizontal Pod Autoscaler. Return the appropriate apiVersion for Vertical Pod Autoscaler. */}} {{- define "common.capabilities.vpa.apiVersion" -}} -{{- $kubeVersion := include "common.capabilities.kubeVersion" .context -}} +{{- $kubeVersion := include "common.capabilities.kubeVersion" . -}} {{- if and (not (empty $kubeVersion)) (semverCompare "<1.25-0" $kubeVersion) -}} {{- print "autoscaling/v1beta2" -}} {{- else -}} diff --git a/charts/oauth2-proxy/charts/redis/charts/common/templates/_ingress.tpl b/charts/oauth2-proxy/charts/redis/charts/common/templates/_ingress.tpl index 3973805657..2d0dbf1e60 100644 --- a/charts/oauth2-proxy/charts/redis/charts/common/templates/_ingress.tpl +++ b/charts/oauth2-proxy/charts/redis/charts/common/templates/_ingress.tpl @@ -27,26 +27,6 @@ service: {{- end }} {{- end -}} -{{/* -TODO: Remove as soon it is removed from the rest of the charts -Print "true" if the API pathType field is supported -Usage: -{{ include "common.ingress.supportsPathType" . }} -*/}} -{{- define "common.ingress.supportsPathType" -}} -{{- print "true" -}} -{{- end -}} - -{{/* -TODO: Remove as soon it is removed from the rest of the charts -Returns true if the ingressClassname field is supported -Usage: -{{ include "common.ingress.supportsIngressClassname" . }} -*/}} -{{- define "common.ingress.supportsIngressClassname" -}} -{{- print "true" -}} -{{- end -}} - {{/* Return true if cert-manager required annotations for TLS signed certificates are set in the Ingress annotations diff --git a/charts/oauth2-proxy/charts/redis/charts/common/templates/_names.tpl b/charts/oauth2-proxy/charts/redis/charts/common/templates/_names.tpl index ba83956852..d5d0ae438e 100644 --- a/charts/oauth2-proxy/charts/redis/charts/common/templates/_names.tpl +++ b/charts/oauth2-proxy/charts/redis/charts/common/templates/_names.tpl @@ -28,10 +28,11 @@ If release name contains chart name it will be used as a full name. {{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} {{- else -}} {{- $name := default .Chart.Name .Values.nameOverride -}} -{{- if contains $name .Release.Name -}} -{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- $releaseName := regexReplaceAll "(-?[^a-z\\d\\-])+-?" (lower .Release.Name) "-" -}} +{{- if contains $name $releaseName -}} +{{- $releaseName | trunc 63 | trimSuffix "-" -}} {{- else -}} -{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- printf "%s-%s" $releaseName $name | trunc 63 | trimSuffix "-" -}} {{- end -}} {{- end -}} {{- end -}} diff --git a/charts/oauth2-proxy/charts/redis/templates/NOTES.txt b/charts/oauth2-proxy/charts/redis/templates/NOTES.txt index 7da2dedb1d..5f70d79e4b 100644 --- a/charts/oauth2-proxy/charts/redis/templates/NOTES.txt +++ b/charts/oauth2-proxy/charts/redis/templates/NOTES.txt @@ -2,7 +2,9 @@ CHART NAME: {{ .Chart.Name }} CHART VERSION: {{ .Chart.Version }} APP VERSION: {{ .Chart.AppVersion }} -Did you know there are enterprise versions of the Bitnami catalog? For enhanced secure software supply chain features, unlimited pulls from Docker, LTS support, or application customization, see Bitnami Premium or Tanzu Application Catalog. See https://www.arrow.com/globalecs/na/vendors/bitnami for more information. +⚠ WARNING: Since August 28th, 2025, only a limited subset of images/charts are available for free. + Subscribe to Bitnami Secure Images to receive continued support and security updates. + More info at https://bitnami.com and https://github.com/bitnami/containers/issues/83267 ** Please be patient while the chart is being deployed ** diff --git a/charts/oauth2-proxy/charts/redis/templates/scripts-configmap.yaml b/charts/oauth2-proxy/charts/redis/templates/scripts-configmap.yaml index 2fad466101..84ee304cab 100644 --- a/charts/oauth2-proxy/charts/redis/templates/scripts-configmap.yaml +++ b/charts/oauth2-proxy/charts/redis/templates/scripts-configmap.yaml @@ -71,8 +71,6 @@ data: REDISPORT=$(get_port "$HOSTNAME" "REDIS") - HEADLESS_SERVICE="{{ template "common.names.fullname" . }}-headless.{{ include "common.names.namespace" . }}.svc.{{ .Values.clusterDomain }}" - if [ -n "$REDIS_EXTERNAL_MASTER_HOST" ]; then REDIS_SERVICE="$REDIS_EXTERNAL_MASTER_HOST" else @@ -115,6 +113,39 @@ data: retry_while "eval $sentinel_info_command" 2 5 } + {{- if and .Values.sentinel.externalAccess.enabled .Values.sentinel.externalAccess.service.loadBalancerIP }} + + SERVICE_NAMES="{{- $fullname := include "common.names.fullname" . -}} + {{- range $i, $e := .Values.sentinel.externalAccess.service.loadBalancerIP -}} + {{- if $i }} {{ end }}{{ printf "%s-svc-%d" $fullname $i }} + {{- end }}" + SERVICE_IPS="{{- range $i, $ip := .Values.sentinel.externalAccess.service.loadBalancerIP -}} + {{- if $i }} {{ end }}{{ $ip }} + {{- end }}" + + + # Helper function to get IP by service name + get_service_ip() { + search_name="$1" + set -- $SERVICE_NAMES + for i in $(seq 1 $#); do + eval name=\${$i} + if [ "$name" = "$search_name" ]; then + set -- $SERVICE_IPS + eval echo \${$i} + return 0 + fi + done + return 1 + } + + SVC_NAME=$(hostname | sed 's/node/svc/g') + CURRENT_SERVICE_IP=$(get_service_ip "$SVC_NAME") + echo "CURRENT_SERVICE_IP: $CURRENT_SERVICE_IP" + {{- else }} + HEADLESS_SERVICE="{{ template "common.names.fullname" . }}-headless.{{- include "common.names.namespace" . }}.svc.{{ .Values.clusterDomain }}" + {{- end }} + {{- if and .Values.replica.containerSecurityContext.runAsUser (eq (.Values.replica.containerSecurityContext.runAsUser | int) 0) }} useradd redis chown -R redis {{ .Values.replica.persistence.path }} @@ -124,7 +155,7 @@ data: [[ -f $REDIS_MASTER_PASSWORD_FILE ]] && export REDIS_MASTER_PASSWORD="$(< "${REDIS_MASTER_PASSWORD_FILE}")" # check if there is a master - master_in_persisted_conf="$(get_full_hostname "$HOSTNAME")" + master_in_persisted_conf="$(get_service_ip "$SVC_NAME")" master_port_in_persisted_conf="$REDIS_MASTER_PORT_NUMBER" master_in_sentinel="$(get_sentinel_master_info)" redisRetVal=$? @@ -141,7 +172,11 @@ data: fi if [[ $redisRetVal -ne 0 ]]; then + {{- if and .Values.sentinel.externalAccess.enabled .Values.sentinel.externalAccess.service.loadBalancerIP }} + if [[ "$master_in_persisted_conf" == "$(get_service_ip "$SVC_NAME")" ]]; then + {{- else }} if [[ "$master_in_persisted_conf" == "$(get_full_hostname "$HOSTNAME")" ]]; then + {{- end }} # Case 1: No active sentinel and in previous sentinel.conf we were the master --> MASTER info "Configuring the node as master" export REDIS_REPLICATION_MODE="master" @@ -158,8 +193,11 @@ data: info "Current master: REDIS_SENTINEL_INFO=(${REDIS_SENTINEL_INFO[0]},${REDIS_SENTINEL_INFO[1]})" REDIS_MASTER_HOST=${REDIS_SENTINEL_INFO[0]} REDIS_MASTER_PORT_NUMBER=${REDIS_SENTINEL_INFO[1]} - + {{- if and .Values.sentinel.externalAccess.enabled .Values.sentinel.externalAccess.service.loadBalancerIP }} + if [[ "$REDIS_MASTER_HOST" == "$(get_service_ip "$SVC_NAME")" ]]; then + {{- else }} if [[ "$REDIS_MASTER_HOST" == "$(get_full_hostname "$HOSTNAME")" ]]; then + {{- end }} # Case 3: Active sentinel and master it is this node --> MASTER info "Configuring the node as master" export REDIS_REPLICATION_MODE="master" @@ -503,7 +541,37 @@ data: . /opt/bitnami/scripts/libvalidations.sh . /opt/bitnami/scripts/libos.sh - HEADLESS_SERVICE="{{ template "common.names.fullname" . }}-headless.{{ include "common.names.namespace" . }}.svc.{{ .Values.clusterDomain }}" + {{- if and .Values.sentinel.externalAccess.enabled .Values.sentinel.externalAccess.service.loadBalancerIP }} + + SERVICE_NAMES="{{ $fullname := include "common.names.fullname" . -}} + {{- range $i, $e := .Values.sentinel.externalAccess.service.loadBalancerIP -}} + {{- if $i }} {{ end }}{{ printf "%s-svc-%d" $fullname $i }} + {{- end }}" + SERVICE_IPS="{{- range $i, $ip := .Values.sentinel.externalAccess.service.loadBalancerIP -}} + {{- if $i }} {{ end }}{{ $ip }} + {{- end }}" + + + # Helper function to get IP by service name + get_service_ip() { + search_name="$1" + set -- $SERVICE_NAMES + for i in $(seq 1 $#); do + eval name=\${$i} + if [ "$name" = "$search_name" ]; then + set -- $SERVICE_IPS + eval echo \${$i} + return 0 + fi + done + return 1 + } + + SVC_NAME=$(hostname | sed 's/node/svc/g') + {{- else }} + HEADLESS_SERVICE="{{ template "common.names.fullname" . }}-headless.{{- include "common.names.namespace" . }}.svc.{{ .Values.clusterDomain }}" + {{- end }} + get_full_hostname() { hostname="$1" @@ -534,19 +602,45 @@ data: run_sentinel_command() { if is_boolean_yes "$REDIS_SENTINEL_TLS_ENABLED"; then - redis-cli -h "$REDIS_SERVICE" -p "$REDIS_SENTINEL_TLS_PORT_NUMBER" --tls --cert "$REDIS_SENTINEL_TLS_CERT_FILE" --key "$REDIS_SENTINEL_TLS_KEY_FILE" --cacert "$REDIS_SENTINEL_TLS_CA_FILE" sentinel "$@" + redis-cli -p "$REDIS_SENTINEL_TLS_PORT_NUMBER" --tls --cert "$REDIS_SENTINEL_TLS_CERT_FILE" --key "$REDIS_SENTINEL_TLS_KEY_FILE" --cacert "$REDIS_SENTINEL_TLS_CA_FILE" sentinel "$@" else - redis-cli -h "$REDIS_SERVICE" -p "$REDIS_SENTINEL_PORT" sentinel "$@" + redis-cli -p "$REDIS_SENTINEL_PORT" sentinel "$@" fi } + sentinel_failover_finished() { - REDIS_SENTINEL_INFO=($(run_sentinel_command get-master-addr-by-name "{{ .Values.sentinel.masterSet }}")) - REDIS_MASTER_HOST="${REDIS_SENTINEL_INFO[0]}" - [[ "$REDIS_MASTER_HOST" != "$(get_full_hostname $HOSTNAME)" ]] + REDIS_SENTINEL_INFO=($(run_sentinel_command get-master-addr-by-name "{{ .Values.sentinel.masterSet }}")) + echo "REDIS_SENTINEL_INFO: $REDIS_SENTINEL_INFO" + REDIS_MASTER_HOST="${REDIS_SENTINEL_INFO[0]}" + echo "REDIS_MASTER_HOST: $REDIS_MASTER_HOST" + {{- if .Values.sentinel.externalAccess.enabled }} + # Get the current service name and its IP + CURRENT_SERVICE_NAME="$SVC_NAME" + echo "CURRENT_SERVICE_NAME: $CURRENT_SERVICE_NAME" + CURRENT_SERVICE_IP=$(get_service_ip "$CURRENT_SERVICE_NAME") + echo "CURRENT_SERVICE_IP: $CURRENT_SERVICE_IP" + # Check if both variables are not empty + if [[ -z "$REDIS_MASTER_HOST" ]]; then + echo "WARNING: REDIS_MASTER_HOST is empty, assuming failover not finished" + return 1 + fi + + if [[ -z "$CURRENT_SERVICE_IP" ]]; then + echo "WARNING: CURRENT_SERVICE_IP is empty, assuming failover not finished" + return 1 + fi + [[ "$REDIS_MASTER_HOST" != "$CURRENT_SERVICE_IP" ]] + {{- else }} + echo "REDIS_MASTER_HOST: $(get_full_hostname $HOSTNAME)" + # Check if both variables are not empty + if [[ -z "$REDIS_MASTER_HOST" ]]; then + echo "WARNING: REDIS_MASTER_HOST is empty, assuming failover not finished" + return 1 + fi + [[ "$REDIS_MASTER_HOST" != "$(get_full_hostname $HOSTNAME)" ]] + {{- end }} } - REDIS_SERVICE="{{ include "common.names.fullname" . }}.{{ include "common.names.namespace" . }}.svc.{{ .Values.clusterDomain }}" - {{ if .Values.auth.sentinel -}} # redis-cli automatically consumes credentials from the REDISCLI_AUTH variable [[ -n "$REDIS_PASSWORD" ]] && export REDISCLI_AUTH="$REDIS_PASSWORD" @@ -583,10 +677,44 @@ data: } is_master() { REDIS_ROLE=$(run_redis_command role | head -1) + echo "REDIS_ROLE: $REDIS_ROLE" [[ "$REDIS_ROLE" == "master" ]] } + {{- if .Values.sentinel.externalAccess.enabled }} + {{- if .Values.sentinel.externalAccess.service.loadBalancerIP }} + + SERVICE_NAMES="{{ + $fullname := include "common.names.fullname" . -}} + {{- range $i, $e := .Values.sentinel.externalAccess.service.loadBalancerIP -}} + {{- if $i }} {{ end }}{{ printf "%s-svc-%d" $fullname $i }} + {{- end }}" + SERVICE_IPS="{{- range $i, $ip := .Values.sentinel.externalAccess.service.loadBalancerIP -}} + {{- if $i }} {{ end }}{{ $ip }} + {{- end }}" + + + # Helper function to get IP by service name + get_service_ip() { + search_name="$1" + set -- $SERVICE_NAMES + for i in $(seq 1 $#); do + eval name=\${$i} + if [ "$name" = "$search_name" ]; then + set -- $SERVICE_IPS + eval echo \${$i} + return 0 + fi + done + return 1 + } + + SVC_NAME=$(hostname | sed 's/node/svc/g') + {{- else }} HEADLESS_SERVICE="{{ template "common.names.fullname" . }}-headless.{{- include "common.names.namespace" . }}.svc.{{ .Values.clusterDomain }}" + {{- end }} + {{- end }} + get_full_hostname() { hostname="$1" @@ -617,19 +745,45 @@ data: run_sentinel_command() { if is_boolean_yes "$REDIS_SENTINEL_TLS_ENABLED"; then - {{ .Values.auth.sentinel | ternary "" "env -u REDISCLI_AUTH " -}} redis-cli -h "$REDIS_SERVICE" -p "$REDIS_SENTINEL_TLS_PORT_NUMBER" --tls --cert "$REDIS_SENTINEL_TLS_CERT_FILE" --key "$REDIS_SENTINEL_TLS_KEY_FILE" --cacert "$REDIS_SENTINEL_TLS_CA_FILE" sentinel "$@" + {{ .Values.auth.sentinel | ternary "" "env -u REDISCLI_AUTH " -}} redis-cli -p "$REDIS_SENTINEL_TLS_PORT_NUMBER" --tls --cert "$REDIS_SENTINEL_TLS_CERT_FILE" --key "$REDIS_SENTINEL_TLS_KEY_FILE" --cacert "$REDIS_SENTINEL_TLS_CA_FILE" sentinel "$@" else - {{ .Values.auth.sentinel | ternary "" "env -u REDISCLI_AUTH " -}} redis-cli -h "$REDIS_SERVICE" -p "$REDIS_SENTINEL_PORT" sentinel "$@" + {{ .Values.auth.sentinel | ternary "" "env -u REDISCLI_AUTH " -}} redis-cli -p "$REDIS_SENTINEL_PORT" sentinel "$@" fi } + sentinel_failover_finished() { REDIS_SENTINEL_INFO=($(run_sentinel_command get-master-addr-by-name "{{ .Values.sentinel.masterSet }}")) + echo "REDIS_SENTINEL_INFO: $REDIS_SENTINEL_INFO" REDIS_MASTER_HOST="${REDIS_SENTINEL_INFO[0]}" + echo "REDIS_MASTER_HOST: $REDIS_MASTER_HOST" + {{- if .Values.sentinel.externalAccess.enabled }} + # Get the current service name and its IP + CURRENT_SERVICE_NAME="$SVC_NAME" + echo "CURRENT_SERVICE_NAME: $CURRENT_SERVICE_NAME" + CURRENT_SERVICE_IP=$(get_service_ip "$CURRENT_SERVICE_NAME") + echo "CURRENT_SERVICE_IP: $CURRENT_SERVICE_IP" + # Check if both variables are not empty + if [[ -z "$REDIS_MASTER_HOST" ]]; then + echo "WARNING: REDIS_MASTER_HOST is empty, assuming failover not finished" + return 1 + fi + + if [[ -z "$CURRENT_SERVICE_IP" ]]; then + echo "WARNING: CURRENT_SERVICE_IP is empty, assuming failover not finished" + return 1 + fi + [[ "$REDIS_MASTER_HOST" != "$CURRENT_SERVICE_IP" ]] + {{- else }} + echo "REDIS_MASTER_HOST: $(get_full_hostname $HOSTNAME)" + # Check if both variables are not empty + if [[ -z "$REDIS_MASTER_HOST" ]]; then + echo "WARNING: REDIS_MASTER_HOST is empty, assuming failover not finished" + return 1 + fi [[ "$REDIS_MASTER_HOST" != "$(get_full_hostname $HOSTNAME)" ]] + {{- end }} } - REDIS_SERVICE="{{ include "common.names.fullname" . }}.{{ include "common.names.namespace" . }}.svc.{{ .Values.clusterDomain }}" - # redis-cli automatically consumes credentials from the REDISCLI_AUTH variable [[ -n "$REDIS_PASSWORD" ]] && export REDISCLI_AUTH="$REDIS_PASSWORD" [[ -f "$REDIS_PASSWORD_FILE" ]] && export REDISCLI_AUTH="$(< "${REDIS_PASSWORD_FILE}")" @@ -867,4 +1021,4 @@ data: exit fi done -{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/oauth2-proxy/charts/redis/templates/svc-external.yaml b/charts/oauth2-proxy/charts/redis/templates/svc-external.yaml index f54f3f9307..34f20250e4 100644 --- a/charts/oauth2-proxy/charts/redis/templates/svc-external.yaml +++ b/charts/oauth2-proxy/charts/redis/templates/svc-external.yaml @@ -19,7 +19,9 @@ metadata: labels: {{- include "common.labels.standard" ( dict "customLabels" $root.Values.commonLabels "context" $ ) | nindent 4 }} pod: {{ $targetPod }} {{- if or - (ne $root.Values.sentinel.externalAccess.service.loadBalancerIPAnnotaion "") }} + (ne $root.Values.sentinel.externalAccess.service.loadBalancerIPAnnotaion "") + $root.Values.sentinel.externalAccess.service.annotations + $root.Values.sentinel.commonAnnotations }} {{- $loadBalancerIPAnnotaion := "" }} {{- if ne $root.Values.sentinel.externalAccess.service.loadBalancerIPAnnotaion ""}} {{- $loadBalancerIPAnnotaion = printf diff --git a/charts/oauth2-proxy/charts/redis/values.yaml b/charts/oauth2-proxy/charts/redis/values.yaml index 552421296c..c9e1e6930b 100644 --- a/charts/oauth2-proxy/charts/redis/values.yaml +++ b/charts/oauth2-proxy/charts/redis/values.yaml @@ -114,7 +114,7 @@ diagnosticMode: image: registry: docker.io repository: bitnami/redis - tag: 8.0.2-debian-12-r3 + tag: 8.2.0-debian-12-r0 digest: "" ## Specify a imagePullPolicy ## ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images @@ -1186,7 +1186,7 @@ sentinel: image: registry: docker.io repository: bitnami/redis-sentinel - tag: 8.0.2-debian-12-r2 + tag: 8.2.0-debian-12-r0 digest: "" ## Specify a imagePullPolicy ## ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images @@ -1785,7 +1785,7 @@ metrics: image: registry: docker.io repository: bitnami/redis-exporter - tag: 1.74.0-debian-12-r0 + tag: 1.75.0-debian-12-r0 digest: "" pullPolicy: IfNotPresent ## Optionally specify an array of imagePullSecrets. @@ -2163,7 +2163,7 @@ volumePermissions: image: registry: docker.io repository: bitnami/os-shell - tag: 12-debian-12-r46 + tag: 12-debian-12-r50 digest: "" pullPolicy: IfNotPresent ## Optionally specify an array of imagePullSecrets. @@ -2227,7 +2227,7 @@ kubectl: image: registry: docker.io repository: bitnami/kubectl - tag: 1.33.1-debian-12-r5 + tag: 1.33.3-debian-12-r3 digest: "" ## Specify a imagePullPolicy ## ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images @@ -2296,7 +2296,7 @@ sysctl: image: registry: docker.io repository: bitnami/os-shell - tag: 12-debian-12-r46 + tag: 12-debian-12-r50 digest: "" pullPolicy: IfNotPresent ## Optionally specify an array of imagePullSecrets. diff --git a/charts/oauth2-proxy/templates/hpa.yaml b/charts/oauth2-proxy/templates/hpa.yaml index a6d7461797..7fe67e7b25 100644 --- a/charts/oauth2-proxy/templates/hpa.yaml +++ b/charts/oauth2-proxy/templates/hpa.yaml @@ -35,4 +35,15 @@ spec: type: Utilization averageUtilization: {{ .Values.autoscaling.targetCPUUtilizationPercentage }} {{- end }} + {{- if .Values.autoscaling.behavior }} + behavior: + {{- with .Values.autoscaling.behavior.scaleDown }} + scaleDown: + {{- toYaml . | nindent 6 }} + {{- end }} + {{- with .Values.autoscaling.behavior.scaleUp }} + scaleUp: + {{- toYaml . | nindent 6 }} + {{- end }} + {{- end }} {{- end }} diff --git a/charts/oauth2-proxy/templates/poddisruptionbudget.yaml b/charts/oauth2-proxy/templates/poddisruptionbudget.yaml index 1fc8ecc005..2bce3ec033 100644 --- a/charts/oauth2-proxy/templates/poddisruptionbudget.yaml +++ b/charts/oauth2-proxy/templates/poddisruptionbudget.yaml @@ -11,5 +11,13 @@ spec: selector: matchLabels: {{- include "oauth2-proxy.selectorLabels" . | indent 6 }} - minAvailable: {{ .Values.podDisruptionBudget.minAvailable }} + {{- with .Values.podDisruptionBudget.maxUnavailable }} + maxUnavailable: {{ . }} + {{- end }} + {{- with .Values.podDisruptionBudget.minAvailable }} + minAvailable: {{ . }} + {{- end }} + {{- with .Values.podDisruptionBudget.unhealthyPodEvictionPolicy }} + unhealthyPodEvictionPolicy: {{ . }} + {{- end }} {{- end }} diff --git a/charts/oauth2-proxy/templates/service.yaml b/charts/oauth2-proxy/templates/service.yaml index ab63c0daa2..04d105caee 100644 --- a/charts/oauth2-proxy/templates/service.yaml +++ b/charts/oauth2-proxy/templates/service.yaml @@ -59,3 +59,10 @@ spec: {{- end }} selector: {{- include "oauth2-proxy.selectorLabels" . | indent 4 }} +{{- if .Values.service.ipDualStack.enabled }} + ipFamilies: {{ toYaml .Values.service.ipDualStack.ipFamilies | nindent 4 }} + ipFamilyPolicy: {{ .Values.service.ipDualStack.ipFamilyPolicy }} +{{- end }} +{{- if .Values.service.trafficDistribution }} + trafficDistribution: {{ .Values.service.trafficDistribution }} +{{- end }} diff --git a/charts/oauth2-proxy/values.yaml b/charts/oauth2-proxy/values.yaml index 3a2d4c8507..d3306a47c7 100644 --- a/charts/oauth2-proxy/values.yaml +++ b/charts/oauth2-proxy/values.yaml @@ -155,6 +155,15 @@ service: internalTrafficPolicy: "" # configure service target port targetPort: "" + # Configures the service to use IPv4/IPv6 dual-stack. + # Ref: https://kubernetes.io/docs/concepts/services-networking/dual-stack/ + ipDualStack: + enabled: false + ipFamilies: ["IPv6", "IPv4"] + ipFamilyPolicy: "PreferDualStack" + # Configure traffic distribution for the service + # Ref: https://kubernetes.io/docs/concepts/services-networking/service/#traffic-distribution + trafficDistribution: "" ## Create or use ServiceAccount serviceAccount: @@ -297,9 +306,15 @@ enableServiceLinks: true ## PodDisruptionBudget settings ## ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ +## One of maxUnavailable and minAvailable must be set to null. podDisruptionBudget: enabled: true + maxUnavailable: null minAvailable: 1 + # Policy for when unhealthy pods should be considered for eviction. + # Valid values are "IfHealthyBudget" and "AlwaysAllow". + # Ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb/#unhealthy-pod-eviction-policy + unhealthyPodEvictionPolicy: "" ## Horizontal Pod Autoscaling ## ref: https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/ @@ -308,8 +323,28 @@ autoscaling: minReplicas: 1 maxReplicas: 10 targetCPUUtilizationPercentage: 80 -# targetMemoryUtilizationPercentage: 80 + # targetMemoryUtilizationPercentage: 80 annotations: {} + # Configure HPA behavior policies for scaling if needed + # Ref: https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/#configuring-scaling-behavior + behavior: {} + # scaleDown: + # stabilizationWindowSeconds: 300 + # policies: + # - type: Percent + # value: 100 + # periodSeconds: 15 + # selectPolicy: Min + # scaleUp: + # stabilizationWindowSeconds: 0 + # policies: + # - type: Percent + # value: 100 + # periodSeconds: 15 + # - type: Pods + # value: 4 + # periodSeconds: 15 + # selectPolicy: Max # Configure Kubernetes security context for pod # Ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/